Dr.Web was the first to detect Trojan loader for smart Linux devices with MIPS/MIPSEL architectures

August 24, 2017

The assortment of modern malicious programs for devices that run on Linux is extremely wide. One of the most widespread Trojans for this OS is Linux.Hajime, several loaders of which are detected only by the Dr.Web Anti-virus.

Virus analysts have been familiar with Trojans of the Linux.Hajime family since 2016. These are network worms for Linux distributed over the Telnet protocol. After obtaining a password via a brute-force attack and logging on to a device successfully, a malicious module saves a loader written in the Assembler language. Then, the malicious program connects the infected device to a decentralized P2P botnet. Linux.Hajime can infect devices with the ARM, MIPS, and MIPSEL architectures. The Trojan loaders, written in the Assembler language, are not detected by modern anti-viruses, except for the loader for ARM devices, which was described in detail by one anti-virus company in a research report.

In addition to the loader for ARM devices, similar modules for devices with the MIPS and MIPSEL architectures have been distributed “in the wild” for over six months already. The first of them is Linux.DownLoader.506 and the second is Linux.DownLoader.356. At the moment this article was being written, only Dr.Web products were able to detect both these worms. Moreover, Doctor Web virus analysts have found that, in addition to using Trojan loaders, cybercriminals are infecting devices using standard utilities—for example, they are downloading Linux.Hajime via wget. And starting on July 11, 2017, they began downloading the Trojan to the attacked devices with the help of tftp utility.

Statistics collected by Doctor Web specialists show that Mexico ranks first among the countries to which the IP addresses of the devices infected by Linux.Hajime belong. Turkey and Brazil are also in the top three. The geographical distribution of the infected devices’ IP addresses is shown in the diagram below:

The following diagram shows the number of attacks carried out for the purpose of distributing Linux.Hajime in August 2017, as detected by Doctor Web.

Doctor Web reminds users that one of the most reliable ways to prevent attacks on Linux devices is to promptly change the default login and password. It is also recommended that users place restrictions on external connections being made to their devices via the Telnet and SSH protocols and to timely update their firmware. Dr.Web for Linux detects and deletes all the aforementioned versions of Linux.Hajime loaders and allows devices to be scanned remotely.

Get Dr.Weblings
for participating in activities on our website

1 activity = 1 Dr.Webling

Rate

To vote, log in under your account or create an account if you don't have one yet.

Repost

Like

To get your award points, go to the news page when logged in under your Doctor Web account (or create an account). Your account must be linked with one of your social network accounts in order for you to receive award points for participating in our website activities.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.